TZ-500 - Loads of Probably and Possible Port Scans
jarmstrong
Newbie ✭
This is coming from an unknown IP on the X1 to our public IP on X1 using port 443.
-Created an Address Object with the IP that is scanning (WAN)
-Created a WAN to WAN access rule to Deny the IP in question
Not sure what is wrong with my Access rule, but these port scans are coming once a minute.
Suggestions welcome!
Category: Entry Level Firewalls
0
Answers
Does the new access rule have a higher priority than other WAN-to-WAN access rules? Are there any conflicting rules with a higher priority than your new rule?
It has the highest priority
I think that port scan detection detects port scans whether your firewall would have allowed the traffic or not, so having a rule makes no difference.
Additionally, I have a suspicion that some innocuous patterns of traffic will trigger the detection; imagine a scenario where clients open multiple connections to a web server on port 443. The connections to the server will all come from random high ports to the same port. The firewall sees all the replies from the server's IP going back to multiple ports and this matches the "port scan" pattern, and raises an alert.
For these reasons, I think port scan detection is just noise and you should disable it.
Everything online is constantly scanned so I don't think those alerts have much value. I always disable it from the diag page.
What might have value would be dynamic blocking logic, where ports would be blocked by source IP if the firewall detects probing to consecutive ports in a short time period.